Syndicated

It’s no big surprise USB drives can carry malware, or that they can infect our computers if we don’t use antivirus software and reformatting to keep them malware-free.

But those aren’t the only reasons USB drives are not secure, say researchers at SR Labs. By creating their own malware, named “BadUSB,” they’ve found USB devices have deeper, more fundamental problems in terms of their security. A USB drive carrying BadUSB can take over a PC, change files on a memory stick without a user noticing, and redirect that user’s Internet traffic – and as the malware is housed inside a USB drive’s firmware, rather than in the flash memory storage, its code can’t be deleted even after all the other files on the drive have been wiped, according to a story by Wired.

The worst part of all this is the USB drive can’t be patched, say the two researchers who made the discovery. Karsten Nohl and Jakob Lell spent months reverse-engineering a USB drive’s basic firmware, altering the controller chips allowing USB drives to communicate with a PC through a USB port and to transfer files between the PC and USB drive. That means cleaning a USB through scanning and deleting files doesn’t deal with the firmware itself. They’ll be presenting their findings next week during Black Hat, a security conference in Las Vegas.

Nor is this discovery limited to just USB drives – any USB device can have its firmware reprogrammed, and that includes keyboards, mice, and smartphones. That means the list of possibilities is endless, with a hacker using this technique being able to replace software with corrupted versions, to type commands, to siphon traffic off to other servers, or to spy on communications from one machine to another.

Given what Nohl and Lell have found, what does this mean for consumers using USB drives? Essentially, we’ll have to approach their use in a whole different way – almost like hypodermic needles, Nohl told Wired. Any time users connect a USB drive to their desktops, they’ll need to be mindful of who gave it to them, and whether that person is trustworthy, which takes away from the convenience of using the drive.

The alternative would be to convince USB device makers the threat is real – but in the meantime, USB drive users will just have to pay attention to how they’re using them.

Candice is a graduate of Carleton University and has worked in several newsrooms as a freelance reporter and intern, including the Edmonton Journal, the Ottawa Citizen, the Globe and Mail, and the Windsor Star. Candice is a dog lover and a coffee drinker.

I think it was a couple of years ago where some company did a security test on their employees by “dropping” USB keys and waited to see how many employees would not only take one but insert them into their work computer. So if a few USB keys that have a modified firmware, look how much damage can be done. Don’t even put anything on the data side of the key. They will probably continue to use it, maybe use it at home. Pass along to friends. Of course a decent size key like 16GB. Most tend to throw out anything under 4GB.